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1 Introduction 

Quantum signature is the counterpart in the quantum world of classical digi¬ 
tal signature. Most classical digital signature schemes are based on public key 
cryptography which can be broken by Shor’s algorithm |T;. Quantum signature, 
which is based on the laws of quantum physics, can provide us unconditional 
security. Many different quantum signature models are proposed for differ¬ 
ent application demands, such as arbitrated quantum signature OOHlOElIXl ^ 
quantum proxy signature pi MTOirTT] , quantum group signature [mum 
quantum blind signature PMZEB] and quantum multiple signature muni. 

A secure quantum signature scheme should satisfy the following two ba¬ 
sic requirements: (1) No forgery. Specifically, the signature cannot be forged 
by any illegal signatory. (2) No disavowal. The signatory cannot disavow his 
signature and the receiver cannot disavow his receiving it. Furthermore, the 
receiver cannot disavow the integrity of the signature [4] . 

As quantum cryptography has developed, many cryptanalysis of existing 
protocols have been presented [211122112811241125112611271 Some effective attack 
strategies also have been proposed to eavesdrop in the existing quantum cryp¬ 
tography protocols [25], such as intercept-resend attacks [22]: entanglement 
swapping attacks j5M3TI[35] . teleportation attacks [331134] . dense-coding at¬ 
tacks [3511351137] . channel-loss attacks [331135] . denial-of-service attacks mm, 
correlation—extractability attacks [4211431144] . Trojan horse attacks [45114611471 
145] . participant attacks [45] and collaborate attacks [SO]. Understanding these 
attacks is very important for designing quantum signature schemes with higher 
security. It also advances the research in quantum signature. Zou and Qiu [5] 
analyzed the arbitrated quantum signatures based on GHZ states and Bell 
states, finding that the receiver Bob can successfully reject the signature by 
disavowing its integrity. Then they proposed a new scheme by using a public 
board to fix this security loophole in which the entanglement was not needed 
any more. 

Gao et al. m gave a perfect cryptanalysis on existing arbitrated quantum 
signature. They found that the signature can be forged by the receiver at will in 
almost all the existing AQS schemes and the sender can disavow the signature 
just by an intercept-resend method. Due to the existence of serious loopholes, it 
is imperative to reexamine the security of other quantum signature protocols. 

Recently, a broadcasting multiple blind quantum signature scheme based 
on quantum teleportation has been proposed in Ref. m- It is said to have the 
properties of both quantum multiple signature and quantum blind signature. 
Here we show that it is not a real blind signature because the signatory can 
get the content of the signed message. In addition, the signed message can 
be modified at random by any attacker. Moreover, there are some participant 
attacks and external attacks existing in the scheme. For instance, the message 
sender Alice can impersonate Ui successfully as she can get the content of 
the signature and I/^’s secret key Kcu,■ Moreover, Alice can sign arbitrary 
message at will. The signature collector Charlie can counterfeit the signature 
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optionally. With respect to the external attacks, the eavesdropper Eve can 
forge Ui s signature at will without knowing the secret key Ecu,- 

All the attack strategies are described in detail and finally we present an 
improved scheme which can resist all the mentioned attacks. Meanwhile, since 
all the secret keys can be reused, it may greatly increase the scheme’s efficiency 
and make it more practical. 

The rest of this paper is organized as follows. First, in Section 2 we review 
the original protocol briefly. In Section 3 we present the security analysis of 
the original protocol and describe the attack strategies in detail. In Section 4 
we present an improved scheme and analyze its security by showing that the 
improved one can resist all the attacks mentioned above and that the keys can 
be used again and again. In Section 5 a short conclusion is given and an issue 
worthy on further research is proposed. 


2 Review of the original protocol |51j 

The protocol involves the following four characters: (1) Alice is the message 
sender. (2) Ui is the Ath member of broadcasting multiple signatory. (3) Char¬ 
lie is the signature collector. (4) Bob is the receiver and the verifier of the 
broadcasting multiple blind signature. 

The scheme is composed of three parts: the initial phase, the individual 
blind signature generation and verification phase, and the combined multiple 
blind signature verification phase. 

In this scheme, Alice sends t copies of n-bit classical message m to t signa¬ 
tories Ui (i = 1,2,--- ,t) respectively, then Ui signs the message m to get the 
blind signature Si and sends S t to Charlie. Charlie collects and verifies these 
blind signatures, then he constructs a multiple signature and sends it to Bob. 
Finally, Bob verifies the multiple signature by confirming the message. 

(1) Initial phase 

(1.1) Alice transforms the classical message to into n-bit as 

to = to(1)||to( 2)|| • • • ||m(j)|| • ■ • ||m(n), (1) 

m(j) =0 or m(j) = 1, 

J = 1,2,--- , n. 

(1.2) Quantum key distribution 

Alice shares a secret key Kab with Bob, a secret key Kac with Charlie, 
and secret keys Kau, (* = 1, 2, • • - ,t) with each signatory Ui, respectively. 
Bob shares a secret key Kbc with Charlie, Charlie shares secret keys Kcu t 
(i = 1, 2, • • • ,t) with each signatory Ui respectively. To obtain unconditional 
security, all these keys are distributed via QKD protocols. 

(1.3) Alice sends E c ^ ab (to) to Bob 

Here E c means classical one-time pad algorithm, 

Ek ab {m) = k ab © m. 


(2) 
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E® in the later means quantum one-time pad 

n 

E%{\P)) = ®v'? i -'v k z 2i \Pi), ( 3 ) 

2=1 

K is a secret key with \K\ = 2 n, Ki is the K' s i-bit. | P) is an n-bit quantum 
message, | Pi) is its i-bit. a x and a z are two Pauli operators. 

(2) The individual blind signature generation and verification phase 
In this phase, we pick one of the signatory Ui as the representative who 
signs the message. 

(2.1) Message transformation 

Assume that Alice is to send the message to. She prepares n-qubit state 
| ip(m)) M as 


I= 0 | 

i =i 


where 


I *PU))m = 


7f(l° )m + |1)m) 
7f(|0 )m - |1)m) 


if 

if 


m{j) = 1 
m(j) = 0. 


(2.2) Quantum channel setup 

Alice prepares n EPR pairs. Each pair is denoted as 


( 4 ) 

( 5 ) 


I a(j))AC = + I = 1,2,3, • • • ,n + l. (6) 

(2.3) Signature Phase 

(2.3.1) Alice picks up her n EPR particles denoted as {|<p(AT))a}, i.e. 

= mi)) a, k(2 ))a, • • • , \<p(J))a, • • • , \ip{n)) A }, (7) 

and the other n EPR particles denoted as {|<p(A r ))c}, i.e. 

mN))c} = (b(l))c, b(2 ))c, • • • , I <pV))c, • • • , W{n))c}. (8) 

(2.3.2) To distinguish each signatory, Alice creates a unique serial number 
which is denoted as SN attaching to {|y>(lV)) J 4 }. Since SN is a classical string, 
Alice transfers it to a quantum state sequence | SN) with the basis Bz = 
(|0), 11)}. Then she sends B% AU (I iI>(N))ma, |S'iV)) to Ui. Here 

n 

\4’)MA=($Q\‘ll>U))M®\<P{j))A- (9) 

3 =1 

After that, Alice sends E^ Ao ({\ip(N))c}, |5AT)) to Charlie. 

(2.3.3) Ui decrypts P% AU . (IV’)ma, | SN)) to get \ip) M A and \SN), then he 
performs Bell-basis measurement to get the outcomes {@MA(j)\j = 1, 2, • • • , n}. 
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Each [3mA (j) = (3ki(k,l £ {0,1}) is expressed by 2-bit string kl according to 
\Pki) kl. Then he gets Si as 


Si = /3ma(1)]|/3ma(2)|| • • • 11 Sm a (J) | j • • • ||/?ma(«)- (10) 

(2.3.4) Ui sends E^ cu (Si,SN) to Charlie. 

(2.4) Verification Phase 

(2.4.1) Charlie decrypts E^ cu (Si,SN )to get the signature Si and SN. 

(2.4.2) According to Si, SN and quantum teleportation, Charlie performs 
one of the corresponding reverse transformation (/, X, Y, Z) on each particle 
\<p(j))c i n his hand to get \ip'(j))c- He obtains \tp'(m))c as 

n 

\ip'(m)) c = 0 W{j))c- (U) 

o =i 

(2.4.3) Charlie gets m' by measuring each \ip'(j)) in the basis of {^j(|0)m + 
|1)m), 7|(|0)m - |1)m)}- Then he sends E% Bc (m') to Bob. 

(2.4.4) Bob decrypts Ej^ AB (m) by the secret keys Kbc and 

Kab respectively and compares to with m!. If they are the same, Si is accepted. 
Otherwise, it is rejected. 

(3) The combined multiple signature generation and verification phase 

(3.1) Charlie collects all individual signatures to generate the multiple sig¬ 
nature S = {Si|* = 1, 2, ■ ■ ■ ,t} and generates the message {rn' t \i = 1,2, ■ ■ ■ , t}. 
If to' is equal to to' +1 [i = 1, 2, • • •, t — 1), he confirms the message and sends 
E k bc (to'O to Bob. If it is not equal, the process is terminated. 

(3.2) After Bob decrypts E^ Bc (m , 1 ) and E^ ab (to), he accepts S if to \ is 
equal to to, otherwise he terminates the process. 


3 Cryptanalysis of the original protocol 

In this section, we point out that there are some security loopholes in the 
scheme in Ref. [51] and describe the corresponding attack strategies in detail. 


3.1 Each Ui can learn the signed message m 

The scheme is claimed to have properties of quantum blind signature so that 
the signatory cannot learn the signed message. Here we show that each signa¬ 
tory Ui can get the message just by a single particle measurement. 

Suppose Alice wants to send an re-bit classical message to to get Ui ’s signa¬ 
ture, according to the scheme, she will transform it into n-qubit state IV’(to ))m 
according to Eq. ( 4 ) andEq. (5). Because -^(| 0 ) m +| 1 )m ) and -L(|0 ) m -|1) m) 
are orthogonal to each other, they can form an orthonormal basis of the two 
dimensional Hilbert Space. When Ui gets K^ v . (|^>(to))ma) from Alice in the 
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signature phase, he can decrypt it and perform a single particle measurement 
in the basis of {-^=(|0)m + I 1 )m), 75(|0)m — |1)m)} on the first state to get the 
message to, which has no effect on the following process. From this problem, 
we can see the original scheme is not a real blind signature scheme. 


3.2 Any attacker can modify Message to at random 

Here we show the signed message in can be modified at random through the 
intercept-resend method by any attacker, including participant attackers or 
external attackers. 

In the original scheme, message to and m' are encrypted according to the 
one-time pad encryption algorithm during their transmission. Any attacker can 
intercept (to) and resend E^ ab (to)© mo to Bob in Step (1.3). According 
to the scheme, Bob will get ?n©?no instead of m, here too is an arbitrary 2?z-bit 
random binary string. At the same time, he intercepts E c ^ Bc (in') and resends 
E k bc (to') © too in Step (2.4.3). According to the scheme, m © Too can pass 
the following verification process. Because mo is arbitrary, to can be modified 
at random by any attacker through intercept-resend method. 


3.3 Alice’s attack 

To illustrate Alice’s attack, here take a 1-bit message m(j) to make a demon¬ 
stration. 


3.3.1 Alice can get the signature 

Suppose Alice sends the message m(j) to get t/,;’s blind signature Si(j). From 
the scheme, we can see that Ui signs m(j) by measuring \i^(J))ma in the Bell 
basis, which is sent from Alice in Step(2.3.3). Alice can get Si(j) = 8ki by 
measuring \iP(J))ma on Bell basis and recording the outcome 8u before she 
sends it to Ui. Instead, Alice sends the two particle state \8h)ma to t/j. Then 
Ui s measurement outcome is Ski ■ Then Alice can get each S)(j). 


3.3.2 Alice can get Ui ’s secret key KcUi 

It has been illustrated that Alice can get each S',; (j), then Alice can get Ui s 
signature S). Alice can intercept E%- cu (Si)\\SN when it is sent from Ui to 
Charlie in Step (2.3.4). Because Alice knows Si, she can extract Ui s secret 
key K C Ui by adding S) to E% cu XSi) as K C u t = S) © E% cu .(Si). Then she 
resends E^ cu (S'i)||S'iV to Charlie. All of these cannot be discovered. 
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3.3.3 Alice can sign the message at will 

We can see that Alice can completely replace the signatory [/,; to sign the 
message. In order to illustrate Alice can sign arbitrary message at will, we 
will demonstrate the quantum teleportation process of the above protocol as 
follows: 

Suppose that the particle M carry a 1-bit classical information m(j) and 
the state of particle M are denoted as 

+ d\l) M ), d = ±1. (12) 

The EPR pairs shared between Alice and Charlie are denoted as 

\a{j))AC = -j={\QQ)ac + |U)ac)- (13) 

The two states are combined to form a three particle state \$(j)) as 


\m) 


where 


\^U))m < 8 > | a{j))AC 

/10 )m + d\V)M w |00)^c + 1 11) ac x 

v fK fK / 






1[IW^( |0>C ^ |1>C ) + lft.)^( |1>c ^ |0>c ) 

+ift.)M.( |0>c ~i |1)c ) + ift,) J »( |1>c ~i |0>c )]. 


72 


72 


|/3oo )ma 
|/?oi )ma 
|/?io )ma 
and \/3n) M A 


|00)ma + 111 )ma 

V2 

|01)ma + |10)ma 

71 

|00)ma — |U)ma 

72 

|01)ma — |10)ma 

71 


(14) 


(15) 

(16) 

(17) 

(18) 


From Eq. (14), we can see if the measurement outcome is /3oo, the state of 
the particle C is just the information state |V’(j))m- Then we take operation 
/ on the state of C. If the measurement outcome is /3oi, then we perform 
operation X on C to recover it to the information state. If the outcomes are 
/3io and d \\, then we take the operation Z and Y respectively. 

Here, we show Alice can modify the signature S- t (j ) at random as follows: 
When Alice prepares 1 4>(j))M and | a(j))AC hr Step (2.1) and Step (2.2), she 
does not send \(p{j))c to Charlie and \ip(j))MA to Ui immediately. Instead, 
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she performs a Bell-basis measurement on |V’(j))ma to get the outcome fiu 
and she sends another Bell state |/3 k’i')MA to 17*. Then the signature Si(j) = 
(3ki has been changed into S[(j) = fik'i'- In order to make sure S-(j) can 
pass the verification, Alice performs a corresponding operator V on | <p(j))c 
before sending it to Charlie. Alice can derive the corresponding operator V 
according to Eq. (14). Assume | iPU))m is teleported from Alice to Charlie 
and the measurement outcome is Bki ■ Also using this equation, Charlie will 
performs a Pauli operator V\ on | <p(j))c to make sure 

Vi\y(j))c = (19) 

In other words, the particle C is in the state 

\v{j))c = Vi\il>{j)) M - ( 20 ) 

Here A = B means A is equivalent to B except for a global phase. Alice 
performs the corresponding V on |<^(j))cs so 

\<p{j))c = V'V^{j)) M . ( 21 ) 

Here is the conjugate transpose of V. When S,(j) is changed into S[(j), 
Charlie will take another Pauli operator V 2 on \<p(j))c to return it to the 
information state |V , (j))m, then 

\<PU))c = V 2 V^V 1 \m )m = | m)M. (22) 

From Eq. (22), we can conclude that 


V 2 VW 1 =I or V = V-^ 2 . (23) 

We take a simple example to make an illustration. Suppose Alice get the 
measurement outcome fioo, but she sends \fim) am to Ui , according to Eq. (14), 
Vj = J, V 2 = X, then V = X according to Eq. (23). We list Alice’s attack 
strategies in Table 1. 


3.4 Charlie’s attack 

In the original scheme, Charlie can also attack the program by modifying the 
signature S at will. 

Charlie is the signature collector whose duty is to collect all the individual 
signature S)(« = 1,2, ••• ,t ) and extract in[ by first recovering each | <p(j))c 
to mj)) c according to Eq. (14) and then measuring \tp'(m))c in the basis 
°f {75(1 °)m + |1)m), 75(10)m — |1)m)}- Charlie can modify the signature S 
into arbitrary S' and keep the message rn\ unchanged after confirming the 
message. Because Bob just verifies whether m is equal to m[ or not, S' can 
pass the verification without being discovered. 
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Table 1 Alice’s attack strategies: First, Alice measures ma to get S%(j) = fikh but 

she sends \Pk'l') MA to Ui instead. Then the signature Si(j) has been changed into (j ). 
At the same time, Alice performs a corresponding unitary operation V on \<p(j))c before 
sending it to Charlie. 


3.5 Eavesdropper Eve’s forgery attack 

In Ref. [51], it is declared that the eavesdropper Eve can’t forge U^s signa¬ 
ture on the assumption that she can get Ui s secret key KcUi because of the 
quantum teleportation. Here we show that Eve can forge Ui s signature at will 
even though she knows nothing about the Ui’s key KcUi- 

Here we take a 1-bit message m(j) to make a demonstration. This is an 
imcomplete message m(j) whose signature is S)(j). Eve replaced S',(j) with 
another S' (j ) when it is sent from Ui to Charlie. Then Charlie will recover 
the message according to S'(j) based on teleportation. Suppose the signature 
Si(j) is /?oo- It is changed into 5-(j) = 0oi under Eve’s attack. We take an 
illustration as follows: 

(1) Without Eve’s attack 

Suppose the signature Si(j) is /?oo and Charlie’s particle C is in the state 

\<PU))c = ^=(\0)c + d\l) c ),d = ±l. (24) 

Then Charlie will perform I on his particle to recover it to the information 
state | ip'(j))c according to Eq. (14), here 

W{j))c = I\v{j))c = -^(lO)c' + d\l) c ). (25) 

After that Charlie measures it and extracts the message m!(j) as 


m'{j) = 


(2) With Eve’s attack 


1 

0 


if 

if 


d = 1 

G? = 0. 


(26) 
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The signature is tampered with S[{j) = /3oi with Eve’s attack, Charlie will 
perform X on his particle C which is still in the state of Eq. (24). Then the 
state of C will be 


Wij))c = X\<fiU))c = ^(|1 )c + d|0)c). (27) 

After that, Charlie measures \ip'(j))c to extract the message m"{j) as 


m"(j) 


1 if d = 1 
0 if d = 0. 


(28) 


From Eq. (26) and Eq. (28), we can see Charlie will get the same messages, 
i.e., m"(j) = m'{j). See the list of all the cases in Table 2. 



Table 2 The relation between m'(j) and m"(j) under the circumstance that the signature 
S t (j) is tampered with by S'- (j) under Eve’s attack. 


From the second column of Table 2, we can see /3oo and 0oi are inter¬ 
changeable and so is the 0 io and /?n. Specifically, when Eve tampered with 
Si(j ) = /3oo(Pio) by S'-(j) = floiiftn) or vice versa, Charlie will extract the 
same message. Precisely, m'(j) is equal to Accordingly, 5-(j) can al¬ 

ways pass the verification. Eve’s other modification of the signature is not inter¬ 
changeable. We can see all the other cases get different message in"(j) ^ m'(j), 
but they all satisfy in"(j) = m'(j) © 1 where ® is modulo 2 addition. 

From Table 2, we can make a law of the message and its corresponding 
signature as follows: 

If the signature <S)(j) = 0u is changed into S[{j) = 0k’l ', then their corre¬ 
sponding messages m'(j) and m"{j) (k,k',l,l' £ {0,1} j = 1,2,- ,n) will 
satisfy 


'(j) = 


m'(j) if k = k' 
m!{j ) © 1 if k^k!. 


(29) 
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Next we show Eve can forge each signature Si by the intercept-resend 
method. Eve can intercept Ejl cu (Si) when it is sent from Ui to Charlie. She 
adds a 2n-bit binary string 


l = *1*2 ■ ■ ■ *2 n (30) 

to Ek cu (Si) and sends it to Charlie. Then Charlie will get 

S't = Si © l. (31) 

Charlie will recover the information m" based on S\ according to the telepor¬ 
tation rather than Si. Then Charlie will get 

m" = m! © l', (32) 

where 

l' = jlj2-■ ■ jn- (33) 


According to Eq. (29), l' must satisfy 


jk 


0 if * 2 fc-i = 0 
1 if * 2 fc-i = 1. 


(34) 


At the same time, Eve intercepts E^ AB (m) in the Step (1.3) and resends 
Ej^ A b (m) © l 1 to Bob. Then Bob will get m © V instead of m. S[ will be 
accepted for the signature of m © l'. We can see that Eve’s forgery attack can 
get successful. 


4 An improved scheme 

Here we present an improved scheme and show it can resist all the attacks men¬ 
tioned above. Also the secret keys can be reused which can provide efficiency 
and practicality. 

Before we present the improved scheme, it is necessary to introduce the 
QOTP algorithm it uses. Suppose a quantum message 

n 

I P) = 0 I Pj) (35) 

3 =1 

is composed of n qubits 

\P J )=a j \0)+p j \l), (36) 


where 


M 2 + lftl a = i 


( 37 ) 
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and the encryption key I\ £ {0, l} 4ra . The QOTP encryption Ek used in this 
scheme on the quantum message can be described as 

n 

Ek(\P » = 0 a^a^Ta^a^- 3 \P 0 ) (38) 

3 =1 


where 



cr v + cr z ). 


(39) 


This QOTP encryption Ek is the improved one introduced in Ref. [52] for 
the first time. The assistant operator T can make sure the encrypted message 
can not be forged in the scheme. Distinctly, for arbitrary message |P), there 
are no non-identity unitary V and unitary U such that 

E^ k VE k \P) = U\P). (40) 


In order to make the secret keys reusable in the improved scheme, we use 
a one-way hash function here [7]: 


H{x) : {0,1}* —> {0, l} 4 ”. 


(41) 


This scheme also contains four factors: (1) Alice is the message sender. (2) 
Ui (i = 1,2, • • • , t) is the i-th member of broadcasting multiple signatory. (3) 
Charlie is the signature collector. (4) Bob is the receiver and the verifier of the 
broadcasting multiple blind signature. 

The improved scheme is also composed of three parts: the initial phase, the 
individual blind signature generation and verification phase, and the combined 
multiple blind signature verification phase. 

(1) Initial Phase 

(1.1) Quantum key distribution 

Alice shares the secret key Kab with Bob, Kac with Charlie, and KAUi 
(i = 1,2, ,t) with each signatory Bob shares a secret key Kbc with 

Charlie; Charlie shares secret keys Kcut (« = 1, 2, ■ - - ,t) with each signatory 
Ui. All the secret keys are 4n-bit. To obtain unconditional security, all these 
keys are distributed via QKD protocols. 

(1.2) Message concealing and message transformation 

Alice gets m' = m © r where m is an n-bit classical message and r an n-bit 
random binary string. Alice transforms the classical message m' into n-qubit 
state 


I = 0 | 

3 =i 

b\0)M + c | 1 )m 
c | 0 )m — b\l) M 


(42) 


where 


I V>0'))m = 


if Tn'(j) = 1 
if m ’(j) = 0, 


(43) 
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b, c are different real constants. 

(1.3) Alice sends the message m to Bob 
Alice transforms m into | m) as 


\m) = 0| m(j)), 
j =i 


(44) 


where 


I m{j)) 


|0) if m(j) = 0 
|1) if m(j) = 1. 


(45) 


Alice randomly chooses a 4n-bit binary sequence r$, computes H(KabW'T'o), 
and sends [EH(K AB \\r 0 ) (l m ))] ® |^o) to Bob where 


4 n 


M = 0 Mi)), 

i=i 


(46) 


and 


Mi)> 


|0> if r 0 (j) = 0 

| 1 ) ^ Mi) = !• 


(47) 


Bob extracts r 0 by measuring each particle of |ro) in the basis {|0),|1}}. 
Then he can compute H(Kab |ko) and decrypt EH(K AB \\ro )(\ m )) t° get |m). 
After that he can get m by performing a measurement in the basis {10), 11)}. 

(1.4) Alice sends r to Charlie 

|r) is generated as Eq. (46) and Eq. (47). Further more, all the IrQ’s genera¬ 
tion in the rest of the scheme is always the same. Alice sends E H ( KAC \\ ri )(\r))® 
|ri) to Charlie. Then Charlie extracts r by performing a measurement in the 
computational basis. 

(2) The individual blind signature generation and verification phase 

In this phase, we pick one of the signatory Ui as the representative who 
signs the message. 

(2.1) Quantum channel setup 

Charlie prepares n+l pairs of EPR particles denoted as {\a{\))uiC, H2))u,c, 
■■■ , | a(n+l)) UiC }, where \a{j)) UiC = ^(|00) i7i c + |ll)i 7 i c),j = 1,2,- -- ,n+l. 
Then he sends the first particle to Ui and keeps the other himself for ev¬ 
ery EPR pair. After Ui receives all particles, Charlie randomly chooses l 
particles to perform a measurement randomly in the basis of {10), 11)} or 
{-f=(|0} + |l))>^f(|0) ~ 11))} and reports the position of the particles that 
he has measured and the basis that he has chosen to Ui. Ui takes the same 
measurement on the corresponding particles and compares the measurement 
outcomes with Charlie. If there is no error, the channel is considered to be 
safe. Otherwise, they abandon the quantum channel and set it up again. 

(2.2) Signature Phase 

(2.2.1) Alice sends the information quantum state \ijj{m'))M to Ui 
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Alice randomly chooses a 4n-bit sequence r 2 and computes H (K auPV'-i) ■ 
Then she sends [E H (K AUi \\r 2 )(\ip(,m')) M )\ 0|r 2 ) to Ui- 

(2.2.2) Ui signs the message m 

Ui decrypts [E H {K AU .\\r 2 )(\‘4>('m,')) m)] to get \ip(m')) M by first extracting r 2 
and then computing H{KaUi 11)• He generates {\ip(j)) MUi |j = 1,2, ■ ■■ , n} by 
combining each \U(jj) m with his EPR particle. Then U t performs a Bell basis 
measurement on {\il’(j)}MU t | j = 1, 2, • • • , n} to get the outcomes {pMUi (j) | j = 
1,2, ••• ,n}. According to Eq. (14), /3 MU t {j) is an Bell state \Pu) which can 
be expressed in 2-bit classical string according to \Pu) —> kl,k,l £ {0,1}. By 
introducing a 4n-bit random binary string Ri, Ui gets the blind signature Si 
of m! as 


Si = (Pi ® KcUi)\\H[(pi ® I<cUi)\\Ri] (48) 

where 

Pi = pMUi (1)| \pMUi (2)|| • • • ||^mc/ 4 0')II • • • II pMUi(n). (49) 

(2.2.3) Ui sends \Sp to Charlie 
Ui transforms Si into quantum state | Sp as 


6n 


I Si) - 0 \Si(j)) 

3 = 1 


(50) 


where 


\Si{j)) 


|0) if Si(j)= 0 
|1) if Si(j) = 1. 


(51) 


Ui randomly chooses a 6 dimensional 4n-bit string vector r$ = (?’g , r|, r|, r|, 
r|,rf) and computes H(K C Ui\\r 3 ). Then he sends \E H ( Kcu , j( r3 ) (\S t ))] ® |r 3 ) 
to Charlie where 


H(K CUi \\r 3 ) = H(KcuP\rl)\\H(KcuP\rl)\\H(K C uM) (52) 
\\H(Kcu i \\'i't)\\H(KcUi WrDWHiKcUi ||r|) 

and 

|r 3 ) = |rh ® | rl) ® |r*|> ® |r^) ® |rf) ® |r|). (53) 

(2.3) Verification Phase 

(2.3.1) Charlie decrypts E H ( Kcu i[: r3 )(!<%)) to get IS 1 ,), then he can get S[ 
by performing a measurement in computational basis. After that he further 
gets Pi based on KcUi according to Eq. (48). Here 

SI = (P’i ® K CUi ) \\[H[(Pi © K CUi )\\Ri}]' (54) 

If there is no incorrection happened in the transmission and measurement, p\ 
and S\ will be equal to pi and Si respectively. 
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(2.3.2) According to f3[ and quantum teleportation in Eq. (14), Char¬ 
lie performs one of the corresponding reverse transformation (/, X 1 Y, Z) on 
each particle in his hand. He obtains the states of these particle denoted as 
{W{j))c\j = 1,2, • • • , n}, which carry information of message m". 

(2.3.3) Charlie gets rn" by measuring each \ip'(j))c, j = 1,2, • • • ,n in the 
basis of {6|0 )m + c|l )m, c|0)m — 6|1)m}- Then he computes m* = m" © r and 
sends [E H (K BC \\r 4 ,)(\ m *))\ ® Va) to Bob. 

(2.3.4) Bob decrypts E H ( KBC \\ ri )(\m*)) to get \m*) and further gets to* 
by performing a measurement in the basis of {|0), 11)}. Then he compares to* 
with to. If they are not equal, 5) is rejected. Otherwise, Bob informs Charlie 
and Ui to announce S[ and Ri on the public board, respectively. Then he 
computes #[(/?( © Kcut)\\Ri] and compares it to [H[(j3i® KcudWRi]}' ■ If they 
are the same, Si is accepted. Otherwise, Si is considered to be compromised 
and it is rejected. 

(3) The combined multiple signature generation and verification phase 

(3.1) Charlie generates the message sequence {m*\i = 1,2, • ■ ■ ,t} and col¬ 
lects all individual signature {S''|i = 1,2, ■■■ ,t}. If to* is equals to m* +1 , 
(i = 1,2, • • • , t — 1), he confirms the message and generates the multiple signa¬ 
ture S = {S''|i = 1,2, • ■ ■ ,t}. If not, the process is terminated. After Charlie 
confirms the message, he sends [A l //(x BC ||r 5 )(l TO i))] ® l^s) to Bob. 

(3.2) Bob decrypts E H (k B c ||t- 5 )(|to*)) to get | m*) and further gets m\ by 
performing a measurement in the basis of {10), 11)}. Then he compares to^ 
with to. If they are not equal, S is rejected. Otherwise, Bob informs Charlie to 
announce S and each Ui(i = 1,2, • • • , t) to announce Ri on the public board, 
respectively. Then he computes F and compares it to F' where 

F = {[[[(Pi © K CU i)\\Ri*],i,i* = 1 , 2 , ■ ■ ■ ,t} ( 55 ) 

F' = {{H[(f3i © K CU i)\\Ri]]', * = 1 , 2 ,--* ,t}. ( 56 ) 

If F' C F, S is accepted. If not, S is rejected. 

Let’s use Figure 1 to illustrate our quantum signature model as follows: 


Signature Phase Verification Phase 



Figure 1. The Quantum Signature Model of The Improved Scheme 
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Next, we list the improvements of our new scheme compared to the original 
one: 

(1) Introducing the improved QOTP encryption algorithm. 

(2) Bringing in a hash function to authenticate the originality of the sig¬ 
nature. 

(3) The secret keys become reusable by introducing some random strings. 

(4) Bringing in public boards. 

(5) Classical message is concealed before turning into quantum message. 
Meanwhile, the transformation method in the improved scheme is according 
to Eq. (43) rather than Eq. (5) in the original one. 

(6) The entangled quantum channel between Charlie and each 17* (i = 
1, 2, ■ • • , t) is set up by Charlie rather than Alice. At the same time, a channel 
checking process is added to make sure it is secure. 

(7) Classical message from Alice to Bob is transmitted through quantum 
method in Step (1.3). 


5 Cryptanalysis of the improved scheme 

In this section, we present the security analysis of the improved scheme, we 
show there is no disavowal and forgery in the improved scheme. Meanwhile, we 
also point out the signatory cannot learn the signed message and the signed 
message cannot be modified by attackers in the improved scheme. 


5.1 No disavowal 

5.1.1 Each signatory Ui cannot disavow his signature Si 

From Eq. (48), we can see that because each Si contains 17*’s secret key KcUi 
in the improved scheme, Ui cannot disavow his signature Si. Meanwhile, Ui 
cannot disavow Si by the intercept-resend method mentioned in Ref. EH- 
Because in Step (2.3.4) Charlie announces Si on the public board instead of 
sending it to Bob, which is only for reading on the public board, Ui can’t 
disavow his signature by intercept-resend method. 

5.1.2 The receiver Bob cannot disavow the signature 

In the improved scheme, the signature S is announced on the public board by 
Charlie when Bob informs him m = m\ in Step (3.2) so that everyone can 
witness Bob has received the signature, so Bob can’t disavow his receiving the 
signature. Also, Bob can’t disavow the integrity of the signature by claiming 
to ^ to* as in Ref. [4]. Assume m = m\ and Bob lies to claim to ^ to* for 
his own benefit in Step (3.2). We can ask Alice , Charlie and Bob to public 
announce the message respectively. Then the dishonest behavior of Bob can 
be catught according to the voting rule, on the assumption that there is no 
collaborate attack. 
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5.2 No forgery 

According to Eq. (48), each S,; is composed of /3 i; Kcu t and Ri- Here we show 
there is no participant forgery and external forgery in the improved scheme. 

5.2.1 Alice cannot forge the signature 

In the improved scheme, Charlie prepares the EPR pairs {\a(j))ciii \j = 
1,2, ,n + Z}, Alice just prepares the information state | ip(m'))M so that 
she cannot get each /?, by measuring each \ip(j))MUi directly. Next we show 
Alice cannot get /3j by intercept-resend method either. Assume Alice intercepts 
each | ip(j))ui and resends the measurement outcome \fiki)MUi to Ui. Because 
Charlie and Ui performs a checking process in Step (2.1), Alice’s intercept- 
resend attack will be discovered. According to the improved scheme, Alice 
cannot get /3*. Ecu, is shared between Charlie and Ui via QKD protocol so 
that Alice has no chance to get it. Moreover, Ri is chosen by Ui randomly and 
it is not acquired by anyone else until it is announced on the public board so 
that Alice cannot get it in the signing phase. Therefore, Alice cannot forge the 
signature. 

5.2.2 Charlie cannot forge the signature 

Charlie, the signature collector who can get each S[ and the secret key KcUi 
in the improved scheme, is considered to be most likely to forge the signature 
successfully. Here we show he cannot forge the signature either. Charlie can 
modify the signature at random and keep the message unchanged when he 
has confirmed the message, which has no influence on the following message 
comparison. Charlie cannot learn each Ufs random string Ri. Since he does 
not know how to modify H'[(f3i ® KcUi)\\Ri\ to fit his modification determin¬ 
istically, Charlie’s forgery attack can definitely be discovered in Step (3.2). 

5.2.3 Bob cannot forge the signature 

Bob is the receiver of the scheme, he cannot get the signature S until Charlie 
announced it on the public board. Therefore, the only way Bob can modify 
the signature is to perform a unitary operator V on E H ( Kcu || r3 ) (IS))) in Step 
(2.2.3). According to Eq. (40), Bob’s modification cannot follow his will, then 
it will be definitely discovered in the verification process. As a consequence, 
Bob cannot forge the signature. 

5.2.4 The eavesdropper Eve cannot forge the signature 

In the improved scheme, the classical bit in'(j) is transformed into quantum 
state according to Eq. (42) and Eq. (43). Here we take a 1-bit message m'{j) 
to illustrate any of Eve’s modification on S.;(j) can be detected. 
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Supposed Si(j) = floi is replaced with S[(j) = /?oo by Eve, the corre¬ 
sponding message are m.'(j) and m"(j) respectively. We present this case as 
follows: 

(1) Without Eve’s attack: 

(1.1) Assume Alice prepares the state |V>(j))m = 5|0)m + c|1)m and its 
signature is S'i(j) = /3oi, according to the teleportation, Charlie’s particle will 
be in the state \<p(j))c = b\l )c + c|0)c- Then Charlie performs operation 
X on | if(j))c to get the state \ip'(j))c = &|0)c + c|l)c- After that Charlie 
performs a measurement in the basis of {&|0 )m + c|1)m,c|0)m - b\l )m}) to 
extract m’(j) = 1. 

(1.2) Assume Alice prepares the state |V'(j))m = ( c | 0 )m — &| 1 ) m ) and its 
signature is Si(j) = /?oi, according to the teleportation, Charlie’s particle will 
be in the state \<p(j))c = c|l) c - b\0)c- Then Charlie performs operation 
X on \tp(j))c to get the state \ip'(j))c = c|0)c — b\l )c- After that Charlie 
performs a measurement in the basis of {&| 0 )m + c | 1 ) m , c | 0 )m - b\l ) m }) to 
extract m’(j) = 0. 

(2) With Eve’s attack: 

(2.1) Assume Alice prepares the state |V’(j))m = 6|0)m + c|1)m and Eve 

replaces Si(j) = /3oi with S[(j) = /3oo, then Charlie’s particle is still in the state 
| (fi(j))c = b\l)c + c|0)c as Eve’s attack has no effect on it. According to the 
teleportation, Charlie will perform operation / on | <p(j))c to get \%p'{j))c = 
b |1) c + c|0) c . After that Charlie performs a measurement in the basis of 
{b\0 )m + c\l) m, c\0)m ~ &| 1 ) m }) to extract it will have a probability of 

4& 2 c 2 to get m"(j) = 1 and a probability of c 4 + b 4 — 2 b 2 c 2 to get m"(j ) = 0. 

(2.2) Assume Alice prepares the state \ ip ( j))M = (c|0)m — 6|1}m) and Eve 
replaces Si(j) = /?oi with S'^j) = 0oo, then Charlie’s particle is still in the 
state | <p(j))c = c|l )c — 6|0)c- According to the teleportation, Charlie will 
perform operation / on | <p{j))c to get |V’ , (j))c = c|l) C - b\0)c- After that 
Charlie performs a measurement in the basis of {b\0 )m + c\l) m, c|0 )m — b\\) m} 
to extract m"(j), it will have a probability of c 4 + b 4 — 2 b 2 c 2 to get m"(j) = 1 
and a probability of 4& 2 c 2 to get m"(j) = 0. 

From (1) and (2), we can see that Eve’s modification of the signature can 
be discovered in Step (2.3.4) with a non-zero probability. Other cases can be 
presented similarly. We can see Eve cannot forge the signature. 


5.3 Each [/,; cannot learn the signed message 

In the improved scheme, the classical message m is turned into m! = m® r 
before it is transformed into quantum states. If [/,; performs a measurement 
in the basis of {6|0 )m + c|1)m>c|0)m — &|1)m} on the information quantum 
sequence {|V 7 (J))A^r|J = 1, 2, • • • , n}, he will just get m' and has no chance to 
get the signed message m. If he wants to learn m , he has to know r which will 
be sent from Alice to Charlie in Step (1.4). Because r is turned into |r) and 
encrypted by Kac according to the quantum one-time pad algorithm during 
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its transmission, [7j cannot get the random string r without the key Kac- 
Therefore, we know [/, can’t learn the signed message to. 


5.4 The signed message m cannot be modified 

In the improved scheme, the signed message to is turned into quantum state 
|to) according to Eq. (44) and Eq. (45) before it is sent from Alice to Bob 
in Step (1.3). It is encrypted by H(Kab\\i~o) according to Eq. (38). Here 
we show any attacker without the key Kab cannot modified the message to 
by the intercept-resend method. Suppose the attacker wants to modify the 
signed message to. He intercepts the [E H ^K AB \\r 0 ){\ m ))] ® |ro). Because he 
does not get the secret key Kabi the attacker cannot decrypt it directly. Then 
he can choose to perform a unitary operator V on [EH(K A B\\ro)(\ m ))} an( i send 
V[EH{K A B\\ro)(\ m ))\ ® l r o) to Bob. In order to make sure this modification can 
pass the verification, there must exist a non-identity unitary operator U to 
satisfy Eq. (40). Because | m) is from classical message to according to Eq. 
(44) and Eq. (45), here U can be restricted to Pauli operators. Exactly 

V[ E H( KAB \\r 0 )(\m))\ = E H{KAB \\ ro) (U\m)) (57) 

n 

u = ®Q j 

i=i 

Qj ^ {Ii 7 &y , &z } 

The question the attacker has to face now is whether there exist such non¬ 
identity unitary operators U and V to satisfy Eq. (57). Unfortunately, it is 
pointed out that there doesn’t exist such U and V for any message | to) in 
Ref. [52]. Then the modification mentioned above will be discovered in the 
verification process. 

Next, we show Bob can modify the signed message to at random in the 
improved scheme, but we can rebute it by the voting rule when this dispute 
takes place. Because Bob has got Kab and Kbc, according to the improved 
scheme, he can modify to at random and make this modification can pass the 
verification. When the dispute on the message to happens between Alice and 
Bob, we can ask Alice, Bob and Charlie to public their message and arbitrate 
it according to the voting rule on the assumption that they are all just loyal 
to themself. From above, we can see the signed message cannot be modified 
in the improved scheme. 


6 Conclusion. 

In this paper, we first gave a security analysis on the quantum broadcasting 
multiple blind signature scheme based on teleportation in Ref. El, which has 
recently been proposed. We point out that there are some security loopholes in 
the protocol and describe the attack strategies in detail. Then we present an 
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improved scheme by introducing hash function, public board, and the improved 
QOTP encryption algorithm proposed in Ref. m- After that, we show the 
improved scheme can resist all the mentioned attacks and that the secret keys 
can be reusable by bringing in some random strings. The improved scheme is 
more practical and secure. It will have foreseeable applications to E-payment 
system, E-business, and E-government. 

The improved quantum broadcasting multiple blind signature can only sign 
classical message. So it is worthwhile for us to designing a scheme for quantum 
messages in the future. 
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